Security Breach? Security Breach?
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Security Breach?

Started by qwaven, February 06, 2007, 04:52:57 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

qwaven

Hello,

A friend of mine showed me this video called "Local JPG shell Inclusion (LFI using php injected JPG)". So I am wondering if this is a) possible to do through coppermine and b) if so is there a way to prevent this? Such as disallow code execution from anything other than php files (not dont allow them to upload them).

See video here: http://milw0rm.org/video/watch.php?id=57
Website home page (in case link does not work): http://milw0rm.org

Please get back to me,
Thanks

qwaven

Sorry typo!!!

This: Such as disallow code execution from anything other than php files (not dont allow them to upload them).

What meant to read:

Such as disallow code execution from anything other than php files (Dont allow them to upload them).

qwaven

No one has anything for me?

Joachim Müller

This is a matter of webserver setup, not an issue related to coppermine. The webserver should be set up to only parse files that are actually specified by extension. There is a flaw (or unproperly documented feature) of the Apache webserver that allows files with unknown extension to be parsed by the PHP interpreter. Subsequently, a file named some_evil_script.php.foo could contain malevolent PHP code and get executed if it gets on the server. Therefor, an app that allows uploads (like Coppermine) has to make sure that only valid files can get uploaded. This is being accomplished in Coppermine by renaming all dots but the last one in a file name with underscores during upload (the file in above example gets renamed to some_evil_script_php.foo), so no harm is being done. However, this is not related to the flaw you refered to in the first place. Not sure what to recommend. As I suggested above: it's a webserver issue, not a Coppermine issue.

qwaven

Hmm I was thinking since the code would be originally executed/sent from coppermine since the 'abuser' would upload an image, and than click on the uploaded image to execute it. I was thinking that there would be something like 'do not pass *.jpg to php' ...

Anyway I'm sure you know more about this than I do. I was just trying to bring it to your attention in case it was something that could be fixed on your end.

Anyway as always keep up the great work!

Thank you for the reply :)

Nibbler

When your web browser requests an image that has been uploaded to the gallery Coppermine is not involved in any way. The webserver should be configured to not treat the image as php code any more than code in a plain text document.

qwaven

Hmm ok well thanks for the information :)